314105 2026-05-05 10:26:54 -0700 [threaded-animations] animating `offset-path` between `margin-box` and `stroke-box` yields a crash under `AcceleratedEffectValues::AcceleratedEffectValues(WebCore::RenderStyle const&, WebCore::IntRect const&, WebCore::RenderLayerModelObject const*)` 2026-05-08 07:18:45 -0700 1 1 1 Unclassified WebKit Animations WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 graouts sam bfulgham graouts sam webkit-bug-importer oldest_to_newest 2207715 0 graouts 2026-05-05 10:26:54 -0700 Creating this simple animation: const animation = document.getElementById("target").animate( { transform: "translateX(100px)", offsetPath: ["margin-box", "stroke-box"] }, 1000 ); … yields a crash under `AcceleratedEffectValues::AcceleratedEffectValues(WebCore::RenderStyle const&, WebCore::IntRect const&, WebCore::RenderLayerModelObject const*)`. 2207716 1 graouts 2026-05-05 10:27:14 -0700 rdar://176159562 2207717 2 479479 graouts 2026-05-05 10:27:58 -0700 Created attachment 479479 Test Attaching a test that reproduces the issue and is ready to use as a layout test. 2207718 3 graouts 2026-05-05 10:29:40 -0700 This was caused by 310214@main. 2207794 4 sam 2026-05-05 14:14:16 -0700 Is this really a security issue? It's accessing an std::optional when it's not engaged. Doesn't that cleanly abort? 2207800 5 479483 sam 2026-05-05 14:32:06 -0700 Created attachment 479483 Fix Attaching fix. 2208823 6 sam 2026-05-07 18:40:14 -0700 Pull request: https://github.com/WebKit/WebKit/pull/64516 2208989 7 ews-feeder 2026-05-08 07:18:43 -0700 Committed 312881@main (1b01b6d32c39): <https://commits.webkit.org/312881@main> Reviewed commits have been landed. Closing PR #64516 and removing active labels. 479479 2026-05-05 10:27:58 -0700 2026-05-05 10:27:58 -0700 Test bug-314105.html text/html 622 graouts PCFET0NUWVBFIGh0bWw+PCEtLSB3ZWJraXQtdGVzdC1ydW5uZXIgWyBUaHJlYWRlZFRpbWVCYXNl ZEFuaW1hdGlvbnNFbmFibGVkPXRydWUgXSAtLT4KPHN0eWxlPgojdGFyZ2V0IHsKICAgIHdpZHRo OiAxMDBweDsKICAgIGhlaWdodDogMTAwcHg7CiAgICBiYWNrZ3JvdW5kLWNvbG9yOiBibGFjazsK ICAgIG9mZnNldC1wYXRoOiBtYXJnaW4tYm94Owp9Cjwvc3R5bGU+CjxkaXYgaWQ9InRhcmdldCI+ PC9kaXY+CjxzY3JpcHQ+Cihhc3luYyAoKSA9PiB7CiAgICB3aW5kb3cudGVzdFJ1bm5lcj8uZHVt cEFzVGV4dCgpOwogICAgd2luZG93LnRlc3RSdW5uZXI/LndhaXRVbnRpbERvbmUoKTsKICAgIGNv bnN0IGFuaW1hdGlvbiA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJ0YXJnZXQiKS5hbmltYXRl KAogICAgICAgIHsgdHJhbnNmb3JtOiAidHJhbnNsYXRlWCgxMDBweCkiLCBvZmZzZXRQYXRoOiBb Im1hcmdpbi1ib3giLCAic3Ryb2tlLWJveCJdIH0sCiAgICAgICAgMTAwMAogICAgKTsKICAgIGF3 YWl0IGFuaW1hdGlvbi5yZWFkeTsKICAgIGF3YWl0IG5ldyBQcm9taXNlKHNldFRpbWVvdXQpOwog ICAgd2luZG93LnRlc3RSdW5uZXI/Lm5vdGlmeURvbmUoKTsKfSkoKTsKPC9zY3JpcHQ+Cg== 479483 2026-05-05 14:32:06 -0700 2026-05-05 14:32:06 -0700 Fix fix-for-314105.diff text/plain 2238 sam ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2FuaW1hdGlvbi92YWx1ZXMvcGF0 aHMvQWNjZWxlcmF0ZWRFZmZlY3RDb29yZEJveC5oIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0v YW5pbWF0aW9uL3ZhbHVlcy9wYXRocy9BY2NlbGVyYXRlZEVmZmVjdENvb3JkQm94LmgKaW5kZXgg NTM0ZjExMjNkZDEyLi5iMDhiMDdjN2M2MzMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3Bs YXRmb3JtL2FuaW1hdGlvbi92YWx1ZXMvcGF0aHMvQWNjZWxlcmF0ZWRFZmZlY3RDb29yZEJveC5o CisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL2FuaW1hdGlvbi92YWx1ZXMvcGF0aHMvQWNj ZWxlcmF0ZWRFZmZlY3RDb29yZEJveC5oCkBAIC0yOSw4ICsyOSwxMyBAQAogCiBuYW1lc3BhY2Ug V2ViQ29yZSB7CiAKKy8vIEZJWE1FOiBUaGUgTW90aW9uIFBhdGggc3BlYyBjYWxscyBmb3IgdGhp cyB0byBiZSBhIDxjb29yZC1ib3g+LCBub3QgYSA8Z2VvbWV0cnktYm94PiwgdGhlIGRpZmZlcmVu Y2UgYmVpbmcgdGhhdCB0aGUgZm9ybWVyIGRvZXMgbm90IGNvbnRhaW4gIm1hcmdpbi1ib3giIGFz IGEgdmFsaWQgdGVybS4KKy8vIEhvd2V2ZXIsIHRoZSBzcGVjIGFsc28gaGFzIGEgZmV3IGV4YW1w bGVzIHVzaW5nICJtYXJnaW4tYm94Iiwgc28gdGhlcmUgc2VlbXMgdG8gYmUgc29tZSBhYmlndWl0 eSB0byBiZSByZXNvbHZlZC4gU2VlOiBodHRwczovL2dpdGh1Yi5jb20vdzNjL2Z4dGYtZHJhZnRz L2lzc3Vlcy80ODEKKy8vIFdlIGN1cnJlbnRseSBwYXJzZSBpdCBhcyBhIDxnZW9tZXRyeS1ib3g+ LCBzbyAibWFyZ2luLWJveCIgaXMgaW5jbHVkZWQuCisKIGVudW0gY2xhc3MgQWNjZWxlcmF0ZWRF ZmZlY3RDb29yZEJveCA6IHVpbnQ4X3QgewogICAgIENvbnRlbnRCb3gsCisgICAgTWFyZ2luQm94 LAogICAgIFBhZGRpbmdCb3gsCiAgICAgQm9yZGVyQm94LAogICAgIEZpbGxCb3gsCmRpZmYgLS1n aXQgYS9Tb3VyY2UvV2ViQ29yZS9zdHlsZS92YWx1ZXMvc2hhcGVzL1N0eWxlUGF0aE9wZXJhdGlv bldyYXBwZXJzLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3N0eWxlL3ZhbHVlcy9zaGFwZXMvU3R5bGVQ YXRoT3BlcmF0aW9uV3JhcHBlcnMuY3BwCmluZGV4IDhhY2E5Yzg1NmVkZC4uZjdmZjM2MjE4ZmQx IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9zdHlsZS92YWx1ZXMvc2hhcGVzL1N0eWxlUGF0 aE9wZXJhdGlvbldyYXBwZXJzLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9zdHlsZS92YWx1ZXMv c2hhcGVzL1N0eWxlUGF0aE9wZXJhdGlvbldyYXBwZXJzLmNwcApAQCAtMTU0LDggKzE1NCw5IEBA IHN0YXRpYyBzdGQ6Om9wdGlvbmFsPEFjY2VsZXJhdGVkRWZmZWN0Q29vcmRCb3g+IHRvQWNjZWxl cmF0ZWRFZmZlY3RDb29yZEJveChDU1NCCiB7CiAgICAgc3dpdGNoIChib3hUeXBlKSB7CiAgICAg Y2FzZSBDU1NCb3hUeXBlOjpCb3hNaXNzaW5nOgotICAgIGNhc2UgQ1NTQm94VHlwZTo6TWFyZ2lu Qm94OgogICAgICAgICByZXR1cm4gc3RkOjpudWxsb3B0OworICAgIGNhc2UgQ1NTQm94VHlwZTo6 TWFyZ2luQm94OgorICAgICAgICByZXR1cm4gQWNjZWxlcmF0ZWRFZmZlY3RDb29yZEJveDo6TWFy Z2luQm94OwogICAgIGNhc2UgQ1NTQm94VHlwZTo6Qm9yZGVyQm94OgogICAgICAgICByZXR1cm4g QWNjZWxlcmF0ZWRFZmZlY3RDb29yZEJveDo6Qm9yZGVyQm94OwogICAgIGNhc2UgQ1NTQm94VHlw ZTo6UGFkZGluZ0JveDoKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJLaXQvU2hhcmVkL1dlYkNvcmVB cmd1bWVudENvZGVycy5zZXJpYWxpemF0aW9uLmluIGIvU291cmNlL1dlYktpdC9TaGFyZWQvV2Vi Q29yZUFyZ3VtZW50Q29kZXJzLnNlcmlhbGl6YXRpb24uaW4KaW5kZXggOWRiY2E3OTliOTViLi44 OGNlMzdlZWQ2YTQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvU2hhcmVkL1dlYkNvcmVBcmd1 bWVudENvZGVycy5zZXJpYWxpemF0aW9uLmluCisrKyBiL1NvdXJjZS9XZWJLaXQvU2hhcmVkL1dl YkNvcmVBcmd1bWVudENvZGVycy5zZXJpYWxpemF0aW9uLmluCkBAIC02NDY4LDYgKzY0NjgsNyBA QCBzdHJ1Y3QgV2ViQ29yZTo6QWNjZWxlcmF0ZWRFZmZlY3RPcGFjaXR5IHsKIAogZW51bSBjbGFz cyBXZWJDb3JlOjpBY2NlbGVyYXRlZEVmZmVjdENvb3JkQm94IDogdWludDhfdCB7CiAgICAgQ29u dGVudEJveCwKKyAgICBNYXJnaW5Cb3gsCiAgICAgUGFkZGluZ0JveCwKICAgICBCb3JkZXJCb3gs CiAgICAgRmlsbEJveCwK